Signature verification should pass if (and only if): at least one good signature is present, and no bad signature is present A good signature is one that: Verifies against the package Uses an algorithm that's enabled in the crypto-policies Has a public key (a.k.a. certificate) imported in the rpm keyring (rpmdb by default) Note: The above only applies to signature-enforcing mode, that is, when %_pkgverify_level is set to signature or all . The default setting on RHEL is digest . Signatures using algorithms disabled in crypto-policies do not count as either good or bad, they are simply ignored when determining the overall verification result. They are still shown as NOTTRUSTED in the rpmkeys output, though. More details: https://docs.google.com/document/d/1XMLDgDi6jMPaJNH_vrU5V-BrYbQNs0qmNOnwQBjQE6w/edit?tab=t.0

RPM no longer fails to install or verify a package with multiple signatures when the package has some `NOTTRUSTED` signatures:: Before this update, when you installed or verified a package with multiple signatures, RPM did not correctly determine the overall verification result when the `rpmkeys(8)` utility reported some of the package signatures as `NOTTRUSTED`. A signature can become `NOTTRUSTED` if, for example, its certificate is expired or revoked, or if its algorithm is disabled by system-wide cryptographic policies. As a consequence, RPM failed to install or verify the package even if the package had at least one valid and trusted signature. + This update fixes the verification logic in RPM to correctly handle packages with `NOTTRUSTED` signatures. This update also improves error reporting around this functionality. + As a result, RPM ignores `NOTTRUSTED` package signatures and successfully installs or verifies a package with multiple signatures if the package has at least one valid signature and no invalid signatures. Error messages are also clearer and more accurate when verification actually fails.